source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 12843

Last change on this file since 12843 was 12843, checked in by Henrik Bettermann, 9 years ago

Documentation work in progress.

Remove redundant waeup.viewStudentsTab permission.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 23.4 KB
Line 
1## $Id: permissions.py 12843 2015-04-01 10:51:35Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """The everyone-can-do-this-permission is being applied to views/pages
26    that are used by everyone.
27    """
28    grok.name('waeup.Public')
29
30class Anonymous(grok.Permission):
31    """The Anonymous permission is applied to
32    views/pages which are dedicated to anonymous users only. Logged-in users
33    can't access these views.
34    """
35    grok.name('waeup.Anonymous')
36
37class Authenticated(grok.Permission):
38    """The Authenticated permission is applied to pages
39    which can only be used by logged-in users and not by anonymous users.
40    """
41    grok.name('waeup.Authenticated')
42
43class ViewAcademics(grok.Permission):
44    """The ViewAcademics permission is applied to all
45    views of the Academic Section. Users with this permission can view but
46    not edit content in the Academic Section.
47    """
48    grok.name('waeup.viewAcademics')
49
50class ManageAcademics(grok.Permission):
51    """The ManageAcademics permission is applied to all edit
52    pages in the Academic Section. Users who have this permission
53    can change/edit context objects.
54    """
55    grok.name('waeup.manageAcademics')
56
57class ManagePortal(grok.Permission):
58    """The ManagePortal permission is used for very few pages
59    (e.g. the DatacenterSettings page) and is dedicated to portal managers.
60    It is furthermore used to control delete methods of container
61    pages in the Academic Section. The ManageAcademics permission,
62    described above, does enable users to edit content but not to
63    remove sub-containers, like faculties, departments or certificates.
64    Users must have the ManagePortal permission too to remove
65    entire containers.
66    """
67    grok.name('waeup.managePortal')
68
69class ManageUsers(grok.Permission):
70    """The ManageUsers permission is a real superuser permission
71    and therefore very 'dangerous'. It allows to add, remove or edit
72    user accounts. Editing a user account includes the option to assign
73    or remove roles. That means that a user with this permission can lock out
74    other users by either removing their account or by removing all
75    permsissions. Only the system administrator will be able to revert this.
76    """
77    grok.name('waeup.manageUsers')
78
79class ShowStudents(grok.Permission):
80    """Users with this permission do not neccessarily see the 'Students' tab
81    but they can search for students at department, certificate or course
82    level. If they additionally have the ExportData permission they can
83    export the data as csv files.
84
85    Bursary or Department Officers don't have the general ExportData
86    permission (see Roles section) and are only allowed to export bursary
87    or payments overview data respectively.
88    """
89    grok.name('waeup.showStudents')
90
91class ClearAllStudents(grok.Permission):
92    """The ClearAllStudents permission allows to clear all students
93    in a department.
94    """
95    grok.name('waeup.clearAllStudents')
96
97class EditScores(grok.Permission):
98    """The EditScores permission allows to edit scores in course tickets.
99    """
100    grok.name('waeup.editScores')
101
102class TriggerTransition(grok.Permission):
103    """The TriggerTransition permission allows to trigger workflow transitions
104    of student and document objects.
105    """
106    grok.name('waeup.triggerTransition')
107
108class EditUser(grok.Permission):
109    """The EditUser permission is required for editing
110    single user accounts.
111    """
112    grok.name('waeup.editUser')
113
114class ManageDataCenter(grok.Permission):
115    """The ManageDataCenter permission allows to access all pages
116    in the data center. It does not automatically allow to process data.
117    """
118    grok.name('waeup.manageDataCenter')
119
120class ImportData(grok.Permission):
121    """The ImportData permission allows to batch process (import) any kind of
122    portal data except for user data. This processor requires the ManageUsers
123    permission too.
124    """
125    grok.name('waeup.importData')
126
127class ExportData(grok.Permission):
128    """The ExportData permission allows to export any kind of portal
129    data.
130    """
131    grok.name('waeup.exportData')
132
133class ExportPaymentsOverview(grok.Permission):
134    grok.name('waeup.exportPaymentsOverview')
135
136class ExportBursaryData(grok.Permission):
137    grok.name('waeup.exportBursaryData')
138
139class ViewTranscript(grok.Permission):
140    grok.name('waeup.viewTranscript')
141
142class ManagePortalConfiguration(grok.Permission):
143    """The ManagePortalConfiguration permission allows to
144    edit global and sessional portal configuration data.
145    """
146    grok.name('waeup.managePortalConfiguration')
147
148class ManageACBatches(grok.Permission):
149    """The ManageACBatches permission allows to view and
150    manage accesscodes.
151    """
152    grok.name('waeup.manageACBatches')
153
154class PutBiometricDataPermission(grok.Permission):
155    """This permission allows to upload/change biometric data.
156    """
157    grok.name('waeup.putBiometricData')
158
159class GetBiometricDataPermission(grok.Permission):
160    """This permission allows to read biometric data.
161    """
162    grok.name('waeup.getBiometricData')
163
164
165# Local Roles
166class ApplicationsManager(grok.Role):
167    """
168    """
169    grok.name('waeup.local.ApplicationsManager')
170    grok.title(u'Applications Manager')
171    grok.permissions('waeup.viewAcademics')
172
173class DepartmentManager(grok.Role):
174    """
175    """
176    grok.name('waeup.local.DepartmentManager')
177    grok.title(u'Department Manager')
178    grok.permissions('waeup.manageAcademics',
179                     'waeup.showStudents',
180                     'waeup.exportData')
181
182class DepartmentOfficer(grok.Role):
183    """
184    """
185    grok.name('waeup.local.DepartmentOfficer')
186    grok.title(u'Department Officer')
187    grok.permissions('waeup.showStudents',
188                     'waeup.viewAcademics',
189                     'waeup.exportPaymentsOverview')
190
191class ClearanceOfficer(grok.Role):
192    """The clearance officer role is meant for the
193    assignment of dynamic roles only.
194    """
195    grok.name('waeup.local.ClearanceOfficer')
196    grok.title(u'Clearance Officer')
197    grok.permissions('waeup.showStudents',
198                     'waeup.viewAcademics',
199                     'waeup.exportData',
200                     'waeup.clearAllStudents')
201
202class LocalStudentsManager(grok.Role):
203    """The local students manager role is meant for the
204    assignment of dynamic roles only.
205    """
206    grok.name('waeup.local.LocalStudentsManager')
207    grok.title(u'Students Manager')
208    grok.permissions('waeup.showStudents',
209                     'waeup.viewAcademics',
210                     'waeup.exportData')
211
212class LocalWorkflowManager(grok.Role):
213    """The local workflow manager role is meant for the
214    assignment of dynamic roles only.
215    """
216    grok.name('waeup.local.LocalWorkflowManager')
217    grok.title(u'Student Workflow Manager')
218    grok.permissions('waeup.showStudents',
219                     'waeup.viewAcademics',
220                     'waeup.exportData')
221
222class UGClearanceOfficer(grok.Role):
223    """The clearance officer role is meant for the
224    assignment of dynamic roles only.
225    """
226    grok.name('waeup.local.UGClearanceOfficer')
227    grok.title(u'UG Clearance Officer')
228    grok.permissions('waeup.showStudents',
229                     'waeup.viewAcademics',
230                     'waeup.exportData',
231                     'waeup.clearAllStudents')
232
233class PGClearanceOfficer(grok.Role):
234    """The clearance officer role is meant for the
235    assignment of dynamic roles only.
236    """
237    grok.name('waeup.local.PGClearanceOfficer')
238    grok.title(u'PG Clearance Officer')
239    grok.permissions('waeup.showStudents',
240                     'waeup.viewAcademics',
241                     'waeup.exportData',
242                     'waeup.clearAllStudents')
243
244class CourseAdviser100(grok.Role):
245    """The 100 level course adviser role is meant for the
246    assignment of dynamic roles only.
247    """
248    grok.name('waeup.local.CourseAdviser100')
249    grok.title(u'Course Adviser 100L')
250    grok.permissions('waeup.showStudents',
251                     'waeup.viewAcademics',
252                     'waeup.exportData')
253
254class CourseAdviser200(grok.Role):
255    """The course 200 level adviser role is meant for the
256    assignment of dynamic roles only.
257    """
258    grok.name('waeup.local.CourseAdviser200')
259    grok.title(u'Course Adviser 200L')
260    grok.permissions('waeup.showStudents',
261                     'waeup.viewAcademics',
262                     'waeup.exportData')
263
264class CourseAdviser300(grok.Role):
265    """The 300 level course adviser role is meant for the
266    assignment of dynamic roles only.
267    """
268    grok.name('waeup.local.CourseAdviser300')
269    grok.title(u'Course Adviser 300L')
270    grok.permissions('waeup.showStudents',
271                     'waeup.viewAcademics',
272                     'waeup.exportData')
273
274class CourseAdviser400(grok.Role):
275    """The 400 level course adviser role is meant for the
276    assignment of dynamic roles only.
277    """
278    grok.name('waeup.local.CourseAdviser400')
279    grok.title(u'Course Adviser 400L')
280    grok.permissions('waeup.showStudents',
281                     'waeup.viewAcademics',
282                     'waeup.exportData')
283
284class CourseAdviser500(grok.Role):
285    """The 500 level course adviser role is meant for the
286    assignment of dynamic roles only.
287    """
288    grok.name('waeup.local.CourseAdviser500')
289    grok.title(u'Course Adviser 500L')
290    grok.permissions('waeup.showStudents',
291                     'waeup.viewAcademics',
292                     'waeup.exportData')
293
294class CourseAdviser600(grok.Role):
295    """The 600 level course adviser role is meant for the
296    assignment of dynamic roles only.
297    """
298    grok.name('waeup.local.CourseAdviser600')
299    grok.title(u'Course Adviser 600L')
300    grok.permissions('waeup.showStudents',
301                     'waeup.viewAcademics',
302                     'waeup.exportData')
303
304class CourseAdviser700(grok.Role):
305    """The 700 level course adviser role is meant for the
306    assignment of dynamic roles only.
307    """
308    grok.name('waeup.local.CourseAdviser700')
309    grok.title(u'Course Adviser 700L')
310    grok.permissions('waeup.showStudents',
311                     'waeup.viewAcademics',
312                     'waeup.exportData')
313
314class CourseAdviser800(grok.Role):
315    """The 800 level course adviser role is meant for the
316    assignment of dynamic roles only.
317    """
318    grok.name('waeup.local.CourseAdviser800')
319    grok.title(u'Course Adviser 800L')
320    grok.permissions('waeup.showStudents',
321                     'waeup.viewAcademics',
322                     'waeup.exportData')
323
324class Lecturer(grok.Role):
325    """The lecturer role is meant for the
326    assignment of dynamic roles only.
327    """
328    grok.name('waeup.local.Lecturer')
329    grok.title(u'Lecturer')
330    grok.permissions('waeup.showStudents',
331                     'waeup.editScores',
332                     'waeup.viewAcademics',
333                     'waeup.exportData')
334
335class Owner(grok.Role):
336    grok.name('waeup.local.Owner')
337    grok.title(u'Owner')
338    grok.permissions('waeup.editUser')
339
340# Site Roles
341class AcademicsOfficer(grok.Role):
342    """An Academics Officer can  can view but not edit data in the
343    Academics Section.
344
345    This is the default role which is automatically assigned to all
346    officers of the portal. A user with this role can access all display pages
347    at faculty, department, course, certificate and certificate course level.
348    """
349    grok.name('waeup.AcademicsOfficer')
350    grok.title(u'Academics Officer (view only)')
351    grok.permissions('waeup.viewAcademics')
352
353class AcademicsManager(grok.Role):
354    """An Academics Manager can view and edit all data in the
355    Academics section. A user with this role can access all manage pages
356    at faculty, department, course, certificate and certificate course level.
357    """
358    grok.name('waeup.AcademicsManager')
359    grok.title(u'Academics Manager')
360    title = u'Academics Manager'
361    grok.permissions('waeup.viewAcademics',
362                     'waeup.manageAcademics')
363
364class ACManager(grok.Role):
365    """This is the role for Access Code Managers.
366    An ACManager can view and manage the Accesscodes Section.
367    """
368    grok.name('waeup.ACManager')
369    grok.title(u'Access Code Manager')
370    grok.permissions('waeup.manageACBatches')
371
372class DataCenterManager(grok.Role):
373    """This single-permission role is dedicated to those users
374    who are charged with batch processing of portal data.
375    A DataCenterManager manager can access all pages in the Data Center
376    (see ManageDataCenter permission above).
377    """
378    grok.name('waeup.DataCenterManager')
379    grok.title(u'Datacenter Manager')
380    grok.permissions('waeup.manageDataCenter')
381
382class ImportManager(grok.Role):
383    """An ImportManager is a DataCenterManager who is also allowed
384    to batch process (import) data. All batch processors (importers) are
385    available except for the User Processor. This processor requires the
386    UsersManager role too. The ImportManager role includes the
387    DataCenterManager role.
388    """
389    grok.name('waeup.ImportManager')
390    grok.title(u'Import Manager')
391    grok.permissions('waeup.manageDataCenter',
392                     'waeup.importData')
393
394class ExportManager(grok.Role):
395    """An ExportManager is a DataCenterManager who is also allowed
396    to export all kind of portal data. The ExportManager role includes the
397    DataCenterManager role.
398    """
399    grok.name('waeup.ExportManager')
400    grok.title(u'Export Manager')
401    grok.permissions('waeup.manageDataCenter',
402                     'waeup.exportData')
403
404class BursaryOfficer(grok.Role):
405    """BursaryOfficers can export bursary data. They can't access the
406    Data Center but see export buttons in the Academic Section.
407    """
408    grok.name('waeup.BursaryOfficer')
409    grok.title(u'Bursary Officer')
410    grok.permissions('waeup.showStudents',
411                     'waeup.viewAcademics',
412                     'waeup.exportBursaryData')
413
414class UsersManager(grok.Role):
415    """See ManageUsers permission.
416    """
417    grok.name('waeup.UsersManager')
418    grok.title(u'Users Manager')
419    grok.permissions('waeup.manageUsers',
420                     'waeup.editUser')
421
422class WorkflowManager(grok.Role):
423    """See TriggerTransition permission.
424    """
425    grok.name('waeup.WorkflowManager')
426    grok.title(u'Workflow Manager')
427    grok.permissions('waeup.triggerTransition')
428
429class PortalManager(grok.Role):
430    """The portal manager role is the maximum set of Kofa permissions
431    which are needed to manage the entire portal. This set must not
432    be changed or customized. It is recommended to assign this role only
433    to only a few portal administrators. A less dangerous manager role is the
434    CCOfficer role described below. For the most tasks the CCOfficer role
435    is sufficient.
436    """
437    grok.name('waeup.PortalManager')
438    grok.title(u'Portal Manager')
439    grok.permissions('waeup.managePortal',
440                     'waeup.manageUsers',
441                     'waeup.viewAcademics', 'waeup.manageAcademics',
442                     'waeup.manageACBatches',
443                     'waeup.manageDataCenter',
444                     'waeup.importData',
445                     'waeup.exportData',
446                     'waeup.viewTranscript',
447                     'waeup.viewDocuments', 'waeup.manageDocuments',
448                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
449                     'waeup.manageApplication', 'waeup.handleApplication',
450                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
451                     'waeup.viewApplicationStatistics',
452                     'waeup.viewStudent', 'waeup.manageStudent',
453                     'waeup.clearStudent', 'waeup.payStudent',
454                     'waeup.uploadStudentFile', 'waeup.showStudents',
455                     'waeup.clearAllStudents',
456                     'waeup.editScores',
457                     'waeup.triggerTransition',
458                     'waeup.viewStudentsContainer',
459                     'waeup.handleAccommodation',
460                     'waeup.viewHostels', 'waeup.manageHostels',
461                     'waeup.editUser',
462                     'waeup.loginAsStudent',
463                     'waeup.manageReports',
464                     'waeup.manageJobs',
465                     )
466
467class CCOfficer(grok.Role):
468    """The role of the Computer Center Officer is basically a copy
469    of the the PortalManager role. Some 'dangerous' permissions are excluded
470    by commenting them out (see source code). If officers need to gain more
471    access rights than defined in this role, do not hastily switch to the
472    PortalManager role but add further manager roles instead. Additional
473    roles could be: UsersManager, ACManager, ImportManager, WorkflowManager
474    or StudentImpersonator.
475
476    CCOfficer is a base class which means that this role is meant
477    for customization. It is not used in the `waeup.kofa` base package.
478    """
479    grok.baseclass()
480    grok.name('waeup.CCOfficer')
481    grok.title(u'Computer Center Officer')
482    grok.permissions(#'waeup.managePortal',
483                     #'waeup.manageUsers',
484                     'waeup.viewAcademics', 'waeup.manageAcademics',
485                     #'waeup.manageACBatches',
486                     'waeup.manageDataCenter',
487                     #'waeup.importData',
488                     'waeup.exportData',
489                     'waeup.viewTranscript',
490                     'waeup.viewDocuments', 'waeup.manageDocuments',
491                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
492                     'waeup.manageApplication', 'waeup.handleApplication',
493                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
494                     'waeup.viewApplicationStatistics',
495                     'waeup.viewStudent', 'waeup.manageStudent',
496                     'waeup.clearStudent', 'waeup.payStudent',
497                     'waeup.uploadStudentFile', 'waeup.showStudents',
498                     'waeup.clearAllStudents',
499                     'waeup.editScores',
500                     #'waeup.triggerTransition',
501                     'waeup.viewStudentsContainer',
502                     'waeup.handleAccommodation',
503                     'waeup.viewHostels', 'waeup.manageHostels',
504                     #'waeup.editUser',
505                     #'waeup.loginAsStudent',
506                     'waeup.manageReports',
507                     #'waeup.manageJobs',
508                     )
509
510def get_all_roles():
511    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
512    """
513    return getUtilitiesFor(IRole)
514
515def get_waeup_roles(also_local=False):
516    """Get all Kofa roles.
517
518    Kofa roles are ordinary roles whose id by convention starts with
519    a ``waeup.`` prefix.
520
521    If `also_local` is ``True`` (``False`` by default), also local
522    roles are returned. Local Kofa roles are such whose id starts
523    with ``waeup.local.`` prefix (this is also a convention).
524
525    Returns a generator of the found roles.
526    """
527    for name, item in get_all_roles():
528        if not name.startswith('waeup.'):
529            # Ignore non-Kofa roles...
530            continue
531        if not also_local and name.startswith('waeup.local.'):
532            # Ignore local roles...
533            continue
534        yield item
535
536def get_waeup_role_names():
537    """Get the ids of all Kofa roles.
538
539    See :func:`get_waeup_roles` for what a 'KofaRole' is.
540
541    This function returns a sorted list of Kofa role names.
542    """
543    return sorted([x.id for x in get_waeup_roles()])
544
545class LocalRolesAssignable(grok.Adapter):
546    """Default implementation for `ILocalRolesAssignable`.
547
548    This adapter returns a list for dictionaries for objects for which
549    we want to know the roles assignable to them locally.
550
551    The returned dicts contain a ``name`` and a ``title`` entry which
552    give a role (``name``) and a description, for which kind of users
553    the permission is meant to be used (``title``).
554
555    Having this adapter registered we make sure, that for each normal
556    object we get a valid `ILocalRolesAssignable` adapter.
557
558    Objects that want to offer certain local roles, can do so by
559    setting a (preferably class-) attribute to a list of role ids.
560
561    You can also define different adapters for different contexts to
562    have different role lookup mechanisms become available. But in
563    normal cases it should be sufficient to use this basic adapter.
564    """
565    grok.context(Interface)
566    grok.provides(ILocalRolesAssignable)
567
568    _roles = []
569
570    def __init__(self, context):
571        self.context = context
572        role_ids = getattr(context, 'local_roles', self._roles)
573        self._roles = [(name, role) for name, role in get_all_roles()
574                       if name in role_ids]
575        return
576
577    def __call__(self):
578        """Get a list of dictionaries containing ``names`` (the roles to
579        assign) and ``titles`` (some description of the type of user
580        to assign each role to).
581        """
582        list_of_dict = [dict(
583                name=name,
584                title=role.title,
585                description=role.description)
586                for name, role in self._roles]
587        return sorted(list_of_dict, key=lambda x: x['name'])
588
589def get_all_users():
590    """Get a list of dictionaries.
591    """
592    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
593    for key, val in users:
594        yield(dict(name=key, val=val))
595
596def get_users_with_local_roles(context):
597    """Get a list of dicts representing the local roles set for `context`.
598
599    Each dict returns `user_name`, `user_title`, `local_role`,
600    `local_role_title`, and `setting` for each entry in the local
601    roles map of the `context` object.
602    """
603    try:
604        role_map = IPrincipalRoleMap(context)
605    except TypeError:
606        # no map no roles.
607        raise StopIteration
608    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
609        user = grok.getSite()['users'].get(user_name,None)
610        user_title = getattr(user, 'title', user_name)
611        local_role_title = getattr(
612            dict(get_all_roles()).get(local_role, None), 'title', None)
613        yield dict(user_name = user_name,
614                   user_title = user_title,
615                   local_role = local_role,
616                   local_role_title = local_role_title,
617                   setting = setting)
618
619def get_users_with_role(role, context):
620    """Get a list of dicts representing the usres who have been granted
621    a role for `context`.
622    """
623    try:
624        role_map = IPrincipalRoleMap(context)
625    except TypeError:
626        # no map no roles.
627        raise StopIteration
628    for user_name, setting in role_map.getPrincipalsForRole(role):
629        user = grok.getSite()['users'].get(user_name,None)
630        user_title = getattr(user, 'title', user_name)
631        user_email = getattr(user, 'email', None)
632        yield dict(user_name = user_name,
633                   user_title = user_title,
634                   user_email = user_email,
635                   setting = setting)
Note: See TracBrowser for help on using the repository browser.